Skip to content

Update jinja2 requirement from >=3.1.4 to >=3.1.6#1300

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/jinja2-gte-3.1.6
Closed

Update jinja2 requirement from >=3.1.4 to >=3.1.6#1300
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/jinja2-gte-3.1.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 12, 2026

Copy link
Copy Markdown
Contributor

Updates the requirements on jinja2 to permit the latest version.

Release notes

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

  • The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7
Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

  • The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5

Released 2024-12-21

  • The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. :ghsa:q2x7-8rv6-6q7h
  • Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:1792, :ghsa:gmj6-6f8f-6699
  • Sandbox does not allow clear and pop on known mutable sequence types. :issue:2032
  • Calling sync render for an async template uses asyncio.run. :pr:1952
  • Avoid unclosed auto_aiter warnings. :pr:1960
  • Return an aclose-able AsyncGenerator from Template.generate_async. :pr:1960
  • Avoid leaving root_render_func() unclosed in Template.generate_async. :pr:1960
  • Avoid leaving async generators unclosed in blocks, includes and extends. :pr:1960
  • The runtime uses the correct concat function for the current environment when calling block references. :issue:1701
  • Make |unique async-aware, allowing it to be used after another async-aware filter. :issue:1781
  • |int filter handles OverflowError from scientific notation. :issue:1921
  • Make compiling deterministic for tuple unpacking in a {% set ... %} call. :issue:2021
  • Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. :issue:2025
  • Fix copy/pickle support for the internal missing object. :issue:2027
  • Environment.overlay(enable_async) is applied correctly. :pr:2061
  • The error message from FileSystemLoader includes the paths that were searched. :issue:1661
  • PackageLoader shows a clearer error message when the package does not contain the templates directory. :issue:1705
  • Improve annotations for methods returning copies. :pr:1880
  • urlize does not add mailto: to values like @a@b. :pr:1870

... (truncated)

Commits

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 12, 2026
@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Jun 12, 2026
@meta-codesync

meta-codesync Bot commented Jun 12, 2026

Copy link
Copy Markdown

This pull request has been imported. If you are a Meta employee, you can view this in D108447349. (Because this pull request was imported automatically, there will not be any future comments.)

meta-codesync Bot pushed a commit that referenced this pull request Jun 19, 2026
Summary:
Bump `jinja2` minimum from `>=3.1.4` to `>=3.1.6` in `docs/requirements.txt`.
Includes security fix GHSA-cpwx-vrp4-4pq7 (`|attr` filter sandbox bypass).

Recreated from D108447349 (bot-authored, could not submit as non-author).


Differential Revision: D109102183
meta-codesync Bot pushed a commit that referenced this pull request Jun 19, 2026
Summary:
Bump `jinja2` minimum from `>=3.1.4` to `>=3.1.6` in `docs/requirements.txt`.
Includes security fix GHSA-cpwx-vrp4-4pq7 (`|attr` filter sandbox bypass).

Recreated from D108447349 (bot-authored, could not submit as non-author).


Differential Revision: D109102183
meta-codesync Bot pushed a commit that referenced this pull request Jun 19, 2026
Summary:
Bump `jinja2` minimum from `>=3.1.4` to `>=3.1.6` in `docs/requirements.txt`.
Includes security fix GHSA-cpwx-vrp4-4pq7 (`|attr` filter sandbox bypass).

Recreated from D108447349 (bot-authored, could not submit as non-author).


Differential Revision: D109102183
meta-codesync Bot pushed a commit that referenced this pull request Jun 19, 2026
Summary:
Bump `jinja2` minimum from `>=3.1.4` to `>=3.1.6` in `docs/requirements.txt`.
Includes security fix GHSA-cpwx-vrp4-4pq7 (`|attr` filter sandbox bypass).

Recreated from D108447349 (bot-authored, could not submit as non-author).


Differential Revision: D109102183
meta-codesync Bot pushed a commit that referenced this pull request Jun 19, 2026
Summary:
Bump `jinja2` minimum from `>=3.1.4` to `>=3.1.6` in `docs/requirements.txt`.
Includes security fix GHSA-cpwx-vrp4-4pq7 (`|attr` filter sandbox bypass).

Recreated from D108447349 (bot-authored, could not submit as non-author).


Differential Revision: D109102183
meta-codesync Bot pushed a commit that referenced this pull request Jun 19, 2026
Summary:
Bump `jinja2` minimum from `>=3.1.4` to `>=3.1.6` in `docs/requirements.txt`.
Includes security fix GHSA-cpwx-vrp4-4pq7 (`|attr` filter sandbox bypass).

Recreated from D108447349 (bot-authored, could not submit as non-author).


Differential Revision: D109102183
meta-codesync Bot pushed a commit that referenced this pull request Jun 19, 2026
Summary:
Bump `jinja2` minimum from `>=3.1.4` to `>=3.1.6` in `docs/requirements.txt`.
Includes security fix GHSA-cpwx-vrp4-4pq7 (`|attr` filter sandbox bypass).

Recreated from D108447349 (bot-authored, could not submit as non-author).


Differential Revision: D109102183
meta-codesync Bot pushed a commit that referenced this pull request Jun 19, 2026
Summary:
Bump `jinja2` minimum from `>=3.1.4` to `>=3.1.6` in `docs/requirements.txt`.
Includes security fix GHSA-cpwx-vrp4-4pq7 (`|attr` filter sandbox bypass).

Recreated from D108447349 (bot-authored, could not submit as non-author).


Differential Revision: D109102183
meta-codesync Bot pushed a commit that referenced this pull request Jun 19, 2026
Summary:
Bump `jinja2` minimum from `>=3.1.4` to `>=3.1.6` in `docs/requirements.txt`.
Includes security fix GHSA-cpwx-vrp4-4pq7 (`|attr` filter sandbox bypass).

Recreated from D108447349 (bot-authored, could not submit as non-author).


Differential Revision: D109102183
meta-codesync Bot pushed a commit that referenced this pull request Jun 19, 2026
Summary:
Bump `jinja2` minimum from `>=3.1.4` to `>=3.1.6` in `docs/requirements.txt`.
Includes security fix GHSA-cpwx-vrp4-4pq7 (`|attr` filter sandbox bypass).

Recreated from D108447349 (bot-authored, could not submit as non-author).


Differential Revision: D109102183
meta-codesync Bot pushed a commit that referenced this pull request Jun 19, 2026
Summary:
Bump `jinja2` minimum from `>=3.1.4` to `>=3.1.6` in `docs/requirements.txt`.
Includes security fix GHSA-cpwx-vrp4-4pq7 (`|attr` filter sandbox bypass).

Recreated from D108447349 (bot-authored, could not submit as non-author).


Differential Revision: D109102183
Updates the requirements on [jinja2](https://github.com/pallets/jinja) to permit the latest version.
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](pallets/jinja@3.1.4...3.1.6)

---
updated-dependencies:
- dependency-name: jinja2
  dependency-version: 3.1.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/pip/jinja2-gte-3.1.6 branch from 5642af7 to 482bc7d Compare June 19, 2026 06:26
@kiukchung kiukchung closed this Jul 7, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot
dependabot Bot deleted the dependabot/pip/jinja2-gte-3.1.6 branch July 7, 2026 21:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant